Uploadify is an awesome script and it works like a charm. But – there’s always a but – sometimes it throws a mysterious 302 error. This happened to me all day long and it drove me crazy. Well, not really, I was already crazy 🙂 So, what to do when the HTTP 302 error pops? A quick look over HTTP statuses should point the me in the right direction:

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

from here. In simple English, that means a redirect. So what happens!? For security reasons, I turned on the cookie-httponly setting and the client-side script was unable to access the cookies and pass the session id back to the server-side script, which in term would see this connection as coming from an non-authenticated user and issue a redirect to the login page. Thus the mysterious 302 status.

The problem can be solved really easy, by turning the cookie-httponly setting off for the entire application. If that’s not desirable, there’s a more complicated solution. First, Uploadify must send the session id to the server together with the file:

JavaScript

1

2

3

4

5

6

7

8

9

10

11

12

13

$('#fileUpload').uploadify({

'uploader':'/uploadify/uploadify.swf',

'script':'/images/upload/',

'cancelImg':'/uploadify/cancel.png',

'auto':true,

'fileExt':'*.jpg;*.gif;*.png',

'fileDesc':'Image Files',

'sizeLimit':2097152,

'scriptData':{'sid':'&lt; ?=Zend_Session::getId();?&gt;'},

onComplete:function(event,id,fileObj,response,data){

// bla bla bla

}

}

…then, turn off the auto-start in the application.ini file:

1

phpSettings.session.strict="On"

…and in the Bootstrap.php file:

PHP

1

2

3

4

5

6

7

8

protectedfunction_initSession()

{

if(isset($_POST['sid'])){

Zend_Session::setId($_POST['sid']);

}

Zend_Session::start();

}

Of course, there are some security issues with both approaches, but nothing serious. Took me about 2 hours to figure it out 🙁